(Switched to users@ mailing list as there's no indication this involves
a code issues and not user configuration difficulties.)
Just some debug ideas:
For debugging at least, you might want to try requiring the
authentication for all interactions, eg with this in your Location
block:
SSLRequireSSL
You've tested reading some static web pages via authenticated SLL?
(with SSLRequireSSL again?)
The user id running Apache is the same one that created and owns
everything within the repository, yes?
-Travis
On Aug 5, 2004, at 7:16 AM, Dan Ports wrote:
> Hello all,
>
> I've run into what seems to be a bug in Subversion or Apache. The
> quick summary: checkouts fail when using mod_authz_svn with mod_ssl's
> FakeBasicAuth option to achieve repository access control based on
> client SSL certificates. This appears to be due to a problem with
> authentication in subrequests.
>
> I'll be the first to admit my ignorance about the internals of
> Subversion and Apache, so I may be misdiagnosing the problem. In
> particular, I have a possible fix/workaround, but I can't say whether
> it's actually the Right Thing to do. I suspect this may actually be an
> issue purely with Apache that's just being tickled by Subversion, but I
> thought I'd post here first in order to make sure it wasn't related to
> part of svn.
>
> I'm running Subversion 1.0.6 with Apache 2.0.50 under FreeBSD 4.10.
> I access my repository via HTTPS with SSL client certificates, and use
> mod_authz_svn to specify repository permissions. To make this work, I
> use mod_ssl's FakeBasicAuth option, which translates the client
> certificate into a faked Authorization header identifying the
> certificate, which mod_authz_svn can use to look up the user's
> permissions.
>
> With this configuration, some operations are possible on the
> repository, but checkouts fail with the following error:
> svn: REPORT request failed on '/svn/!svn/vcc/default'
> svn:
> Unable to open root of edit
>
> The relevant messages in the Apache logs:
> midnight-anchovy.mit.edu - - [05/Aug/2004:03:56:31 -0700] "REPORT
> /svn/!svn/vcc/default HTTP/1.1" 500 223
> (Note the lack of a username added by FakeBasicAuth.)
>
> [Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] A failure
> occurred while driving the update report editor [500, #220000]
> [Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] Unable to
> open root of edit [500, #220000]
>
> I've also observed that this error does not take place if I've granted
> world-read access to the repository, only if authentication is required
> to access the repository. (Of course, I've made sure that the client
> has the correct certificates and configuration.)
>
> It seems as though the Authorization header is not correctly added to
> the subrequest, causing the authentication to fail. I poked around a
> bit in the mod_ssl source, and found that I could make things work if I
> made the following changes to
> httpd-2.0.50/modules/ssl/ssl_engine_kernel.c:
>
> 1) Commented out the following lines (813-815 in my copy):
> if (!ap_is_initial_req(r)) {
> return DECLINED;
> }
>
> 2) Added '&& ap_is_initial_req(r)' to the following conditional (line
> 823):
> if ((auth_line = apr_table_get(r->headers_in, "Authorization")))
> {
> 823)
>
> Now, not being an Apache expert, I don't know whether this is the
> correct fix. I'm not even entirely sure what my changes do -- in
> particular, I'm not totally clear on why the second change is
> necessary. I'm particularly suspicious because the first change
> involves disabling a check that someone explicitly added, presumably
> for some reason. But I've been running with this configuration for
> several weeks now, and everything seems to be working correctly. (I was
> initially using it under svn 1.0.5 and apache 2.0.49, then upgraded to
> 1.0.6/2.0.50.)
>
> Can one of you shed some light on this problem? In particular, is the
> fix I'm using correct? Is this issue related to the Subversion modules,
> or is it a pure Apache issue that I should pass along to the Apache
> folks? Or am I just doing something wrong? Any insights would be
> appreciated.
>
> Cheers,
>
> Dan
>
> --
> Dan R. K. Ports
> Research Minion
> Massachusetts Institute of Technology
> <drkp@mit.edu>
> Computer Science and Artificial Intelligence Lab
> <drkp@csail.mit.edu>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Oct 1 17:27:47 2004